|
Article Excerpt
The federal Computer Fraud and Abuse Act ("CFAA") provides for civil remedies against individuals who have accessed a protected computer without authorization or in excess of their authorization. With increasing numbers of employees using computers at work, employers have turned to the CFAA in situations where disloyal employees have pilfered company information from the employer's computer system. The vague language of the CFAA, however, has led courts to develop three different interpretations of "authorization" in these CFAA employment cases, with the result that factually similar cases in different courts can generate opposite outcomes in terms of employee liability under the statute. This Note examines the three alternative interpretations of authorization in CFAA employment cases and concludes that courts should generally employ a code-based interpretation as the default definition of authorization under the CFAA, with employment contracts that clearly outline the limits of employee computer access providing meaning to authorization in cases where courts in their discretion find it to be appropriate.
TABLE OF CONTENTS INTRODUCTION I. THREE INTERPRETATIONS OF AUTHORIZATION A. Agency-Based Interpretation B. Code-Based Interpretation C. Contract-Based Interpretation II. LEGISLATIVE HINTS A. Specific Legislative Intent or the Lack Thereof B. Looking More Broadly: The General Legislative Aim of Combating Computer Misuse and an Allowance of Judicial Discretion 1. The General Legislative Aim of Combating Computer Misuse 2. A Legislative Grant of Discretion for Determining Authorized Access ? III. EVALUATING THE ALTERNATIVES A. A Code-Based Approach as the Standard Default Interpretation B. Evaluating the Merits of the Alternatives 1. The Agency-Based Approach 2. The Contract-Based Approach C. The Code-Based Default with a Contract-Based Alternative in Practice CONCLUSION
INTRODUCTION
Computers are widely used in the workplace for understandable reasons: they often increase productivity, making employees more efficient and effective at their jobs. (1) But by making information more accessible and shareable, computers and computer networks in the workplace increase the risk that certain information--confidential, proprietary, or trade secret information--may end up in the hands of competitors. In light of this risk, companies take preventative measures; they encode computer networks to discourage hackers and require employees to enable and utilize password protections to prevent use by outsiders. These preventative measures, however, do little to protect against one risk: that an employee himself will use his access to the company's computers and network to gather and turn over such confidential, proprietary, or trade secret information to competitors.
Yet while it may be difficult to fashion preventative measures to thwart the efforts of such a rogue employee, companies are increasingly finding that they can recoup the associated losses through the use of a federal computer-misuse statute. This statute, the Computer Fraud and Abuse Act ("CFAA"), (2) was originally developed to target computer hackers. (3) The CFAA also, however, allows private citizens to bring suits against a person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer" or who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access." (4) Thus, employers can bring their rogue employees into court, arguing under the rather general language in the CFAA that the employee was without authorization or exceeded his authorization to access the company computer system when he did so to obtain proprietary company information for devious, non-business purposes.
Courts, however, have trouble applying the CFAA's vague "authorization" language to the delicate and complex relationship that exists between employees and employers. Naturally questions arise over what it means to access without authorization or exceed authorized access when the person's employee status means that he already has authorization to access a computer--that is, his employer has directed him to use a computer and create, modify, or otherwise use the information on that computer system. In response to the problem of applying the CFAA's vague statutory language in employment situations, courts have developed three different understandings of authorization: agency based, code based, or contract based. Courts following an agency-based interpretation determine authorization through principles of agency law, such as employee loyalty. (5) Courts opting for a code-based interpretation define authorization by technical limits within computer systems, such as employer-installed password requirements. (6) Finally, some courts apply a contract-based interpretation under which authorization is determined by contractual limits placed in employee agreements and policies. (7)
The current state of confusion over how to define an employee's liability for computer misuse under the CFAA is undoubtedly less than ideal. This Note seeks to provide some clarity to the dispute by analyzing the legislative history and asking which approach best effectuates legislative intent behind the CFAA. Ultimately this Note suggests that courts should adopt a code-based approach to authorization as a default interpretation, while allowing contracts that are clearly applicable and aimed to prevent computer misuse to define authorization in some CFAA employment cases. Part I reviews the various interpretations of authorization within the employment context. Part II analyzes the legislative history of the CFAA, noting that while this history does not supply meaningful information regarding the specific legislative intent behind the authorized-access phrases within the CFAA, a more general look at the legislative history provides two valuable insights: first, the general legislative aim of the CFAA is combating computer misuse; and second, there is congressional assent to greater judicial discretion in defining authorization in CFAA cases involving insiders, such as employment cases. Based on these insights, Part III proposes the adoption of a code-based default interpretation and evaluates the merits of the agency-based approach and the contract-based approach as alternative interpretations in CFAA employment cases. This Part concludes by stressing the value of an approach where courts prefer a code-based understanding of authorization in most situations, but are free to deviate and determine authorization based on contracts in certain CFAA employment cases.
I. THREE INTERPRETATIONS OF AUTHORIZATION
Although the CFAA is primarily a criminal statute, individuals and companies can also bring private civil suits against CFAA violators. (8) Many of these civil suits involve employers and their former employees. (9) In such suits, the employing company uses the CFAA to receive damages or an injunction after an employee uses a company computer to access, email, or copy sensitive company reformation. (10) A company's success in proving a violation of the CFAA within a given set of facts often turns on the court's answer to the following question: what does it mean to say that a person "intentionally accesses a computer without authorization or exceeds authorized access"? (11) The ambiguity of the statutory language has led courts to adopt different approaches to answering this question, with the result that employers and employees are often left without a consistent understanding of how a court will assess their CFAA claims.
One can, however, distill three distinct categories of approaches from the courts' treatment of authorization in CFAA employment cases: the agency-based interpretation, the code-based interpretation, and the contract-based interpretation of authorization. These different interpretations have emerged slowly; it was only recently, after the Seventh Circuit's endorsement of an agency-based approach, that courts began to expressly note the possibility of alternative interpretations to authorization in their opinions. (12) This Part explores the development and operation of each of the categories of interpretation of employees' authorization in CFAA cases.
A. Agency-Based Interpretation
As suggested by the name, the agency-based interpretation of authorization is based on common-law agency principles. (13) The employer-employee agency relationship imposes "special duties on the part of both the employer and the employee which are not present in the performance of other types of contracts." (14) Important for our concerns, the employee owes a duty of loyalty to his employer, which requires him to act solely for the benefit of the employer or company. (15) Moreover, the employee's authority to act on behalf of the employer terminates when he obtains an interest adverse to the employer--for example, if he begins to work for a competitor. (16) Thus, importing these principles into authorization under the CFAA, an employee's authorization is implicitly revoked when he accesses a computer for purposes that do not further his employer's interests.
Courts adopting the agency-based interpretation determine whether computer access was authorized under the CFAA through the direct use of these basic agency principles. In the first case to apply agency principles, an employee of a self-storage business emailed confidential information to a competitor just prior to leaving to work for that competitor. (17) In determining whether this access was unauthorized and violated the CFAA, the court relied on section 112 of the Second Restatement of Agency, which states, "Unless otherwise agreed, the authority of an agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal." (18) Applying this principle, the court found that "the authority of the plaintiff's former employee[] ended when [he] allegedly became [an] agent[] of the defendant ... when [he] allegedly obtained and sent the proprietary information to the defendant via e-mail." (19) Notably, the court claimed that this agency-based interpretation was the plain meaning of authorization within the CFAA and in line with its legislative history. (20)
The Seventh Circuit gave credit to this interpretation by adopting it in International Airport Centers, L.L.C. v. Citrin. (21) There, the court used agency principles to find that an employee violated the CFAA by deleting all the data on a company laptop and loading a secure-erasure program to ensure that none of the deleted information was recoverable. (22) The court relied on agency law in assessing Citrin's actions:
[Citrin's] authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee. (23)
Although the Seventh Circuit's decision also cited section 112 of the Second Restatement of Agency, the court focused more broadly on the duty of loyalty concept within agency law. (24) The court noted that the only basis of Citrin's authority to access the laptop rested in his agency relationship with IAC and that the agency relationship ended when Citrin breached his duty of loyalty. (25)
The import of the Seventh Circuit's decision to adopt the agency-based interpretation in Citrin has been notable. The decision has acted as a validation of that approach for many judges, as the number of district courts now employing an agency-law understanding of authorization in determining CFAA claims suggests. (26) Additionally, practitioners have taken note of the decision, releasing papers on how to both use this interpretation of the CFAA to one's advantage (27) and mitigate its negative implications. (28) Notable as well is the fact that this agency-based interpretation is undoubtedly the most employer-favorable approach, since simply characterizing the employee's actions as against the employer's interests will likely result in liability. (29) Indeed, while there is no compiled data for the assertion, the acceptance of this approach by a major circuit court appears to have increased company filings of CFAA claims. (30) Since Citrin, it has become clear that the agency-based interpretation is beginning to become a real contender as the leading interpretation of authorization within the CFAA. Yet the costs of this approach may outweigh its benefits. (31)
B. Code-Based Interpretation
The code-based interpretation of authorization is rooted in the operation of computer systems; access is unauthorized where a person bypasses code-based protections designed to limit his use of the computer system. (32) This can occur where an individual guesses at passwords or uses other false means to get past a password-protected zone or other security mechanism. (33) Notably, this understanding of authorization limits liability to instances where a user explicitly manipulates a computer system into giving him greater access and use privileges than he would otherwise have. (34) As such, where an employee has been affirmatively granted the ability to use and access a computer database or system, his authorization cannot be challenged under the code-based interpretation. (35)
The code-based interpretation can be traced back to the earliest CFAA cases involving authorization questions. For example, United States v. Morris (36) invoked a close analogue to the code-based interpretation with its "intended function" test. (37) In Morris, the Second Circuit held that a graduate student violated the CFAA by accessing computers without authorization because he used email and other programs in a manner not related to their intended function; his use instead located holes in the programs, giving him a special and unauthorized access route into other computers. (38) Thus, the intended function test asks whether a user violated the intended function of a network or program to gain access not intended by the programmer or network administrator. (39) The test is similar to a code-based interpretation of authorization because violation of the intended function is often done through technical means, such as by finding holes in programs, or bypassing passwords or other protection systems. (40)
More recently, courts have revived the code-based interpretation of authorization in CFAA cases involving employees and employers as a response to the agency approach used in Shurgard and Citrin. Perhaps the most vocal criticism of the use of agency principles in Citrin came in a district court opinion from Florida, Lockheed Martin Corp. v. Speed. (41) The circumstances in Speed were factually similar to those in Shurgard. Plaintiff Lockheed Martin claimed that competitor L-3 conspired with three of Lockheed's former employees to wrongfully obtain trade secrets. (42) The court noted that the plain language of the statute was sufficiently clear such that courts should not resort to extrinsic materials like the Second Restatement of Agency, as done in Shurgard and Citrin. (43) Moreover, the court asserted that the use of agency principles created an inconsistency within the text of the CFAA. (44) Finally, the court concluded that reading agency principles into authorization would bring "remarkable reach to the statute" and pose problems in the criminal context with regard to the rule of lenity. (45)
A close reading of Speed demonstrates that the court favored a more code-based interpretation of authorization, which it labeled as the "plain language" interpretation of authorization. (46) Under this interpretation, the court found that because the employees were permitted to access the company computers and the precise information at issue, they were not acting without authorization or exceeding authorized access. (47) The court explicitly noted that the CFAA only concerns itself with improper access and not what the employees may have done with information after authorized access. (48) In evaluating the technical authority of the individuals to access--looking only at whether an employee has exceeded the level of access they have been granted by employers and not at the motive behind the questioned access--the Speed court's plain language interpretation of authorization is more properly labeled as code based.
In the few years since the Speed decision first challenged the agency-based interpretation adopted by the Seventh Circuit, other district courts have similarly expressed hesitancy about the Citrin approach. (49) Like the Speed court, these courts place significance on the fact that individuals have been expressly allowed to view or use information, finding it irrelevant with regard to liability under the CFAA whether the ultimate use of that information was improper in the employment context. (50) Although a circuit court has not yet explicitly...
|
